From 7717827c76825f149154b9063ae773aec0dd4ffc Mon Sep 17 00:00:00 2001
From: Mauro Amico <mauro.amico@gmail.com>
Date: Sat, 25 Jan 2025 23:33:55 +0100
Subject: [PATCH] userid

---
 news/1867.bugfix                              |  4 +++-
 .../restapi/services/locking/__init__.py      | 12 +++++-----
 src/plone/restapi/tests/test_locking.py       | 24 +++++++++++++++++++
 3 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/news/1867.bugfix b/news/1867.bugfix
index 1c008c8ca..995b11007 100644
--- a/news/1867.bugfix
+++ b/news/1867.bugfix
@@ -1 +1,3 @@
-In the `creator_name` function, return the username if the user is not found, instead of raising `AttributeError`. @mamico
+In the `creator_name` function for locking endpoint, return the userid if the user is not found, instead of raising `AttributeError`. @mamico
+
+Zope locks store their creator using the userid, not the username (login name), changed accordly the `creator_name` and `creatur_url` function. @davisagli @mamico
diff --git a/src/plone/restapi/services/locking/__init__.py b/src/plone/restapi/services/locking/__init__.py
index 327e22b77..c9347a7b4 100644
--- a/src/plone/restapi/services/locking/__init__.py
+++ b/src/plone/restapi/services/locking/__init__.py
@@ -7,17 +7,17 @@
 from plone.locking.interfaces import ILockable
 
 
-def creator_name(username):
-    user = api.user.get(username=username)
+def creator_name(userid):
+    user = api.user.get(userid=userid)
     if user:
-        return user.getProperty("fullname") or username
+        return user.getProperty("fullname") or userid
     else:
-        return username
+        return userid
 
 
-def creator_url(username):
+def creator_url(userid):
     url = api.portal.get().absolute_url()
-    return f"{url}/author/{username}"
+    return f"{url}/author/{userid}"
 
 
 def creation_date(timestamp):
diff --git a/src/plone/restapi/tests/test_locking.py b/src/plone/restapi/tests/test_locking.py
index 4131c43da..40e7fc5b8 100644
--- a/src/plone/restapi/tests/test_locking.py
+++ b/src/plone/restapi/tests/test_locking.py
@@ -131,3 +131,27 @@ def test_lock_user_removed(self):
         self.assertEqual(response.json()["creator"], "foo")
         self.assertEqual(response.json()["creator_name"], "foo")
         self.assertTrue(lockable.locked())
+
+    def test_lock_username_vs_userid(self):
+        lockable = ILockable(self.doc)
+        api.user.create(
+            username="foo1234",
+            email="foo@bar.com",
+            roles=["Manager"],
+            properties={"fullname": "Foo Bar"},
+        )
+        pas = api.portal.get_tool("acl_users")
+        # generally the username and userid are the same...
+        self.assertEqual(pas.getUserById("foo1234").getUserName(), "foo1234")
+        # ...but we can change it
+        pas.updateLoginName("foo1234", "foo")
+        self.assertEqual(pas.getUserById("foo1234").getUserName(), "foo")
+        with api.env.adopt_user(username="foo"):
+            lockable.lock()
+        transaction.commit()
+        response = self.api_session.get("/@lock")
+        self.assertEqual(response.status_code, 200)
+        # here the userid
+        self.assertEqual(response.json()["creator"], "foo1234")
+        self.assertEqual(response.json()["creator_name"], "Foo Bar")
+        self.assertTrue(lockable.locked())